Backdoor Found on Router

Thursday, March 14, 2013 @ 04:03 PM gHale

A backdoor exists in TP-Link router models that when a specially crafted URL ends up called, the router will respond by downloading and executing a file from the accessing computer, a security researcher said.

When a browser sends an HTTP GET request to http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html, the contacted router will establish a connection back to the visitor’s IP and contact any TFTP server there, said Michał Sajdak from Securitum.

It will retrieve a file called nart.out from the TFTP server and execute it as root. However, this normally only works within a local network; an indirect exploit such as a CSRF attack should fail because the required TFTP server must be accessible within the LAN.

The advisory said the TL-WDR4300 and TL-WR743ND models suffer from the issue. Whether the vulnerability is on other models remains unclear.

The manufacturer was not immediately available for comment. Sajdak said he repeatedly notified TP-Link of the problem but never received a reply, and that prompted him to publish the details. The researcher also used valid access data to establish an interactive root shell on the router, which ultimately led to the discovery of the backdoor that requires no authentication.